Thanks to Tim Easton of SophosLabs for his behind-the-scenes work on this article.

Sadly, the headline is accurate.

Fortunately, however, the outcome was not as bad as it could have been.

Linux Mint sits firmly at the top of the last year’s worth of stats in the Distrowatch list, so it’s unarguably a popular distro, at least for end-users.

Mint is based on Ubuntu, which in turn is built on Debian, so it’s not surprising to see those three distros in the top spots.

Mint, you might say, is like “Ubuntu with choice,” so you aren’t stuck with Ubuntu’s look-and-feel, which is perhaps best described as similar-yet-resolutely-different.

For newcomers to Linux, especially those used to Windows, Mint can be a lot less intimidating than facing up to Ubuntu’s unfamiliar desktop, or to Debian’s technocentricity.

I’ve used it myself on a low-powered netbook and found it fast and friendly, so it’s not hard to see why it’s a popular choice for those wanting to get into using Linux without any visual or technical surprises.

What happened?

Here’s what seems to have happened, according to the commendably prompt and open disclosure of Mint’s founder and project leader, Clement Lefebvre, better known as Clem.

Hackers got in and modified a PHP script that was part of a WordPress installation used by the Mint project.

If you used Mint’s download page to find your way to your download of choice, the malicious PHP script would redirect you to an imposter site.

The only affected downloads were the versions known as Linux Mint 17.3 Cinnamon edition. (Each edition has its own look and feel; others versions include MATE, KDE and Xfce, none of which were affected.)

The imposter server contained both 32-bit and 64-bit versions of Cinnamon, but only the 64-bit version is known to have been hacked.

As Clem said on the Mint blog:

Q. [W]hich version of Cinnamon[? …Was] it 32-bit or 64-bit version affected or both?

A. 64-bit definitely, 32-bit didn’t show [signs of infection] but was found on the Bulgarian server, so it looks like they were preparing to compromise this one as well later on.

Clem’s mention of “the Bulgarian server” refers to 5.104.175.212, the IP number of the imposter site used by the attackers, which is somewhere in Bulgaria.

Because the crooks didn’t manage to hack the actual Linux Mint repositories, they weren’t able to compromise the Mint source code, or the official Mint download ISOs (disk images), or even the list of official download checksums.

In short: if you’re a Mint user, and you downloaded a Mint 17.3 Cinnamon ISO over the the weekend, and you didn’t validate the ISO’s checksum against an officially published list, and you installed the ISO, you probably have malware on your computer.

Update. A subsequent post on the Linux Mint blog confirms the bad news that, during this attack, the Mint online forum database was stolen, including usernames, hashed passwords, and user profile information. Worse still, private posts and messages were stolen, too. Change your password, and be sure to choose one that’s different from any of your other online accounts! [2016-02-22T12:30Z]

What to look for?

According to the Mint blog, an easy way to see if you’re affected is to look in the directory /var/lib/man.cy: if the directory is empty, you are probably OK; if there is a file in it, you’re probably infected.

SophosLabs reports that the malware is Linux/Tsunami-A, also known as Kaiten.

This is a rather old Linux bot, or zombie, that is readily available in source-code form.

Tsunami connects to an IRC server (a command-and-control technique rarely seen in modern bots, because so many networks block IRC traffic these days) and waits for instructions from the crooks who control the server.

Commands that the crooks can give to your computer include: ordering it to start a denial of service (DoS) attack against someone else, and instructing it to download and run additional malware.

What to do?

If you didn’t download a Mint Cinnamon ISO this weekend, you don’t need to worry.

If you downloaded an ISO but didn’t install it yet, just delete the ISO, and then you don’t need to worry.

If you had Mint already installed and did any sort of update (not a reinstall) over the weekend, you don’t need to worry.

If you don’t have any files in /var/lib/man.cy, you probably don’t need to worry.

In the unlikely event that you are infected, just get a fresh ISO and install again to replace the infected version.

By the way, if you run your own WordPress installation, why not take this as a reminder to check it out?

Make sure that your operating system, version of WordPress, PHP, plugins and themes are all up-to-date, and do a quick security review.

Just in case!

Update. The Mint online forum database was stolen during this attack, including usernames, hashed passwords, user profile information, private posts and private messages. So you should change your password, and be sure to choose one that’s different from any of your other online accounts. [2016-02-22T12:30Z]

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

Sounds like you’re fine, then. If in doubt, you can always fetch Sophos Antivirus or Sophos Bootable Antivirus and give it a quick check.

Remember, unless you downloaded a booby-trapped ISO over the weekend, didn’t test the checksum, and then actually installed it, you’re OK. In other words, if you already had Mint installed before the weekend, you can relax. Also, as mentioned in the article, the 32-bit version was probably OK anyway.

The absence of (or an empty) /var.lib/man.cy is what you want. The presence of /var/lib.man.somethingelse is not a sign of infection in this case.

Paul…..just to be clear because you are the first person that mentioned “the absence of” in regards to the man.cy folder. Like many people, I found the man.db and worried that I am searching in the wrong place or something. I couldnt find a man.cy folder at all, and most every reference is written in a way that suggests you should find the folder, but empty, to verify youre not infected/affected. Could you reiterate that this is definitely the case ? I did run the checksum, and it matched. But want to confirm. Thanks !

As far as I know, a system that’s infected due to installing from a booby-trapped ISO will have an infected file a directory called /var/lib/man.cy. (The similarity to man.db, a directory that’s perfectly normal, is presumably intentional.) Therefore, as a quick test of your system:

* If there is a directory called /var/lib/man.cy, but it’s empty, you’re probably OK.

* If there is isn’t a directory called /var/lib/man.cy, then there definitely aren’t any files in it 🙂 You’re probably OK.

I took out the words “almost certainly,” which indeed do not belong. But apart from that implicit criticism in your comment, I don’t know what you’re trying to say.

The graph in the article says “Distro “hits per pay”,” which I think makes it pretty clear that it’s not “downloads per day” (or else I would have said so). And you admit that as a diehard Debian user, you’d never visit the Mint page on Distrowatch…and why would you?…so you certainly won’t skew the statistics in favour of a distro you don’t use.

I therefore think that Distrowatch page hits make a good-enough metric.

And I bet you that more home users run Mint than run Debian. For the uninitiated, is *is* easier. Whether it’s better in the end is a matter of opinion, but that’s not the issue.

Is it possible to use the SBAV to scan a linux system ? Following this article I tried it out and when I run it all I see is scanning of boot sectors, but not of the linux files themselves (EXT4 system)

Yes, it can scan Linux filesystems, but now I think about it, you might need to mount them yourself. I think it may only automount Windows ones (various flavours of FAT and NTFS), as it’s primarily intended as a rootkit-bypassing tool for Windows systems.

Thanks Paul. I’ll try again this weekend and manually mount the FS.
I’m running LM 17.2 so I’m not affected by the ISO, but the article did arouse my curiosity about SBAV and consequently trying it out…

IMHO this shows the very importance of publishing checksums and of checking these checksums after downloading. However, as far as I can see, Sophos itself doesn’t publish checksums for Sophos Antivirus for Linux on it’s website, but only for some other products. I’d be happy to find them somewhere and check it before running an virus scanner installation as root.

Good point. Most of our endpoint software comes as EXE installers – those are digitally signed (“authenticoded”) and can be checked using standard Windows techniques. That’s an ideal approach because the signature goes with the download, is itself digitally signed, and can be verified by Windows, including using certificate revocation checks.

The Linux tarball doesn’t contain a digital signature, not least because there’s no standard way to do that.

I think I’ll ask our web publishing chaps about adding a shasum of some sort on the download page 🙂

Paul, I’m a newbie to linux and I want to know which linux distro do you recommend me. I have years using Windows XP and everytime my computer gets virus infected I reinstall the OS because anti-virus software make my computer slow. I want a linux distro that is easy to use like Windows, has no malware and virus problems and that is easy to install. Please help me.